Prevent user from being added to certain groups

Question

Can you please advise on the best way to do this? We have a forest with four domains. In one of those domains we keep consultants, partners, and vendors (lets call it Domain X). The rule is that any user in Domain X should never be a member of any groups in the other three domains, but users in the other three domains can be members of groups in any domain including Domain X. We would like to create a business rule that will prevent Adaxes users from adding users from Domain X to any groups outside of Domain X.

Thanks

Answer 1

Hello,

Yes, this is possible. You can create a Business Rule that will be triggered before adding a member to a group and check, to which domains the user and the group belong. If the user is from the domain where you keep the accounts of your consultants etc, and the group is not from that domain, the Business Rule will cancel the operation. The checking will be done with the help of a PowerShell script. To create such a Business Rule:

1. Create a new Business Rule.

2. On the 2nd step of the Create Business Rule wizard, select Group and Before Adding a member to a Group.
   

3. On the 3rd step, add the Cancel this operation action.
   

4. Click OK.

5. Double-click Always.

6. Select the If PowerShell script returns true condition and paste the following script:
   

    $disallowedDomain = "domain.com" # TODO: modify me
   
    $Context.ConditionIsMet = $False
    $newMemberDomainName = $Context.GetObjectDomain("%member%")
    if ($newMemberDomainName -ine $disallowedDomain)
    {
        return
    }
    $groupDomainName = $Context.GetObjectDomain("%distinguishedName%")
    if ($groupDomainName -ine $disallowedDomain)
    {
        $Context.ConditionIsMet = $True
    }
   

   In the script, $disallowedDomain specifies the domain where you keep accounts for consultants, partners etc.

7. Enter a short description for the script and click OK.

8. Finish creation of the Business Rule.

Comments

Thank you very much for the script. It works as advertised.

---

I need to revisit this. The script has been perfect as long as the changes are being made via the webpage. I am having issue with this business rule and modifying user membership via the Adaxes powershell tools. Right now, I was setting up a after creation user business rule where if the new user attribute employeeType = Consultant then put them into a group, then set that group as the primarygroup, and then remove from the Domain Users group. I receive the following error

 'INT Employee Tpe Rules': Add 'Capt Kirk (alloweddomain.com\\CCG Users)' to 'NoRights (alloweddomain.com\\Security Groups)'  
  Business Rules: Command Processor 'Business Rules' threw an exception when processing the command. A list of actions to be triggered by Business Rules couldn't be generated. Failed to check the following condition of the 'JV Group Access' business rule: If script 'Check for JV domain membership' returns true. Exception calling "GetObjectDomain" with "1" argument(s): "DN '<GUID=d891d948-b77e-4704-8d9e-5e264fe2281d>' is invalid.".

The business rule is using the script provided in this thread unchanged except to insert the disalloweddomain. I used the steps provided here Set user primary group to create the business rule to change the primary group.

I also have the problem when using the Adaxes powershell to modify group memberships and indicating the -adaxesservice switch

PS C:\\Windows\\system32> add-admgroupmember "this group" -member "CN=This User,OU=These Users,DC=alloweddomain,DC=com" -adaxesservice adaxesserver.alloweddomain.com  
add-admgroupmember : Command Processor 'Business Rules' threw an exception when processing the command.  
A list of actions to be triggered by Business Rules couldn't be generated.  
Failed to check the following condition of the 'JV Group Access' business rule: If script 'Check for JV domain membership' returns true.  
Exception calling "GetObjectDomain" with "1" argument(s): "DN '<SID=010500000000000515000000A5209E86A7B2F4A42B877F0E0C940000' is invalid.".  
At line:1 char:1  
+ add-admgroupmember "this group" -member "CN=This User,OU=These ...  
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  
 + CategoryInfo : NotSpecified: (:) \[Add-AdmGroupMember\], DirectoryComException  
 + FullyQualifiedErrorId : Softerra.Adaxes.PowerShellModule.Commands.SetAdmGroupMemberCommandExecutor:ProcessRecord,Softerra.Adaxes.PowerShellModule.Commands.AddAdmGroupMemberCommand

This script has been great in maintaining our policy about the disalloweddomain members and I am hoping that this is an easy fix.

Thanks in advance

---

Hello,

Can you post a screenshot of your Business Rule?

---

Emailed the image to the support address. I don't have a way to host the image at the moment.

---

Hello,

We've received your email and passed the info to our script guys. We'll update this topic as soon as they come up with something.

I don't have a way to host the image at the moment.

Actually, whenever you need to post an image on this forum, you can just attach it to you post. For this purpose, click the Upload attachment link at the bottom of the Post a reply box, then click Browse, select the image you want to attach, and click Add the file.

---

Can you also send us / post here a screenshot of your Business Rule that changes the primary group?

---

Actually, no need for the screenshot. We managed to reproduce and find the cause of the issue. The thing is when an object is added to a group with the help of the Add to Group action or with the help of the Add-AdmGroupMember cmdlet, the %member% value reference returns the GUID or SID (Security Identifier) of the object instead of the object DN (Distinguished Name). To fix the issue, you need to update the PowerShell script that checks the user's domain before adding it to a group. Use the following version of the script:

$disallowedDomain = "domain.com" # TODO: modify me

$Context.ConditionIsMet = $False
$newMember = $Context.BindToObject("Adaxes://%member%")
$newMemberPath = New-Object "Softerra.Adaxes.Adsi.AdsPath" $newMember.ADsPath
$newMemberDomainName = $Context.GetObjectDomain($newMemberPath.DN)

if ($newMemberDomainName -ine $disallowedDomain)
{
    return
}
$groupDomainName = $Context.GetObjectDomain("%distinguishedName%")
if ($groupDomainName -ine $disallowedDomain)
{
    $Context.ConditionIsMet = $True
}

---

It is the last set where employeeType = Consultant

---

jiambor, we've already managed to find the cause of the issue. see Prevent user from being added to certain groups.

---

The new script is working nicely. Thanks again